neshta | 1e8ef0b7823dcf23a99cfc4d40c34786cbd1032581d906c5adea3bba3ade0449

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
Size

368KB
MD5

182a26233416f1cd3249e487bec9d58d
SHA1

bddb9925cc64ef4955d3af8cb97952a51689e596
SHA256

1e8ef0b7823dcf23a99cfc4d40c34786cbd1032581d906c5adea3bba3ade0449
SHA512

996f6dacd765d6ae25a40c2ea4ca1e37bab8e12f817cded4075c7d200c35e623b04098da7564ca6b18ac0456cea9cf26a83177e46462bfda01a83889af2a001a
SSDEEP

6144:jyH7xOc6H5c6HcT66vlmrJp13452WhN+nPQ4mevjx1GVUHnthaTBaE9A1XtR4UeJ:jakp13mvNSPmUHGVmaTAEwd9eJ

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 6 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c83-8.dat	family_neshta
behavioral2/files/0x0004000000020343-24.dat	family_neshta
behavioral2/memory/3740-107-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3740-109-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3740-111-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3740-114-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe

Executes dropped EXE 4 IoCs

pid	Process
3184	svchost.exe
3740	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
3912	svchost.exe
2044	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
File opened for modification	C:\Windows\svchost.com	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3184	4596	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe	87
PID 4596 wrote to memory of 3184	4596	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe	87
PID 4596 wrote to memory of 3184	4596	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe	87
PID 3184 wrote to memory of 3740	3184	svchost.exe	88
PID 3184 wrote to memory of 3740	3184	svchost.exe	88
PID 3184 wrote to memory of 3740	3184	svchost.exe	88
PID 3740 wrote to memory of 2044	3740	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe	90
PID 3740 wrote to memory of 2044	3740	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe	90
PID 3740 wrote to memory of 2044	3740	JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2044

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
328KB

MD5
39c8a4c2c3984b64b701b85cb724533b

SHA1
c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

SHA256
888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

SHA512
f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe

Filesize
292KB

MD5
1a7507b7410c9b7985ee1df26fdb50ca

SHA1
9b0b289fe9a95fdbd037cc89e9c60e116c968b3e

SHA256
d9cb9083f54312203a0dad3349a04eafc0211be6934b30e37f856b72b15f956a

SHA512
c5ebb43f5f0f46eca87e1ae052b0dd972ab5200fa5bae736af60589f415ce307fa07e4e19cee9c8f2d95d538561a1182f535d16eef1b7eb05b82d0b3d64d2238

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_182a26233416f1cd3249e487bec9d58d.exe

Filesize
332KB

MD5
21457be2cadea289f89ef25a581bbf40

SHA1
2a7a7b0e439cc0c997be8cc76b3fd2e7b2e0620a

SHA256
fcac4ab1c72efb51e5118f303422a8c9e2f35afdcfe1a6e57c6594019a21ad43

SHA512
c600e4ec34aede98636f7a748c26ddb004b8e1c5a732ea4655e0762b6d89d1b3a9d295a2381371a02c4cf4f8cd9693adcd1f2870de890c05d2699572a82e0a20

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/2044-23-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3184-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3740-107-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3740-109-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3740-111-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3740-114-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3912-108-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3912-110-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3912-112-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3912-125-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4596-3-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads